MS Intune MDM
Table of Contents
- Crafting Custom OMA-URI’s
- Publish EXE on Company Portal
- Publish MSI on Intune Company Portal
- Test Deployment Locally
- Silent Install Cheatsheet
Crafting Custom OMA-URI’s
OMA-URI Syntax
./<Scope>/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_When building out the OMA-URI path to configure a setting in Windows 10, you’ll need to get these bits of information from the CSP documentation. Luckily, these are all easy to get:
- Scope
- Root node
- Policy CSP sub-category
- Area and policy name
Scope
There are two scope available for applying CSP settings: User and Device. This determines whether the GPO is applied at the local machine level for all users, or if it will be for the CurrentUser only. Thus, your OMA-URI may start with ./Device or ./User.
Root Node
The root node of the Policy CDP is always called /Vendor/MSFT/Policy. That will be the root node for all custom policies used with Intune. At this point, your OMA-URI path will look like ./Device/Vendor/MSFT/Policy or ./User/Vendor/MSFT/Policy
Policy CSP Sub Category
The Policy CSP has two sub-categories: Policy/Config/AreaName and Policy/Result/AreaName. We’re only ever going to care about the Policy/Config/AreaName. So, now the OMA-URI path looks like the following Where AreaName is something we still need to define:
./<Scope>/Vendor/MSFT/Policy/Config/AreaNamePolicy Name Information
We’ll need more than just the AreaName to finish building our OMA-URI path—we also need the PolicyName. The AreaName/PolicyName specifies the name/value pair used in the policy. To find the AreaName/PolicyName combination, just skim through the list of available policies at the bottom of your favorite CSP documentation page to see which section matches your custom policy requirements. Once you have that, you’re done!
The final, full OMA-URI path looks something like this:
./<Scope>/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_Publish EXE on Intune Company Portal
The following steps do not apply to MSI files. These steps work for other installers such as exe files.
A copy of this app is in the Intune Apps folder on Sharepoint. You can also download a copy if needed from Github. GitHub - microsoft/Microsoft-Win32-Content-Prep-Tool: A tool to wrap Win32 App and then it can be uploaded to Intune
Download the EXE file and save it in “Intune Apps” under the IT teams Documents folder: https://xentermd.sharepoint.com/sites/it/Shared%20Documents
Download a logo for the EXE application and save it in the logos folder: https://xentermd.sharepoint.com/sites/it/Shared%20Documents/Forms/AllItems.aspx?id=%2Fsites%2Fit%2FShared%20Documents%2FIntune%20Apps
Next you need to find the silent install and silent uninstall commands. There is no set standard and this command will vary by application. Consult the relative documentation or google for help figuring out what the install and uninstall commands are. Tip for finding commands is to run the installer combined with
/help,--help, or/?. Many installers have a built in list triggered by a help command that shows all applicable arguments.Run this command as an administrator to create the Intune file that you will upload.
- Setup Folder = A folder containing the exe and other files required for installation.
- Source Setup File = The EXE executable
- Output Folder = Where you want to save the intune app file
IntuneWinAppUtil.exe -c <setup_folder> -s <source_setup_file> -o <output_folder> <-q>
- Setup Folder = A folder containing the exe and other files required for installation.
Publish MSI on Intune Company Portal
The following steps on work for MSI files. See “Publish EXE on Company Portal” for any other installer type.
- Download the MSI installer and a logo for the application.
- Login to admin.microsoft.com. Then go to `All admin centers > Microsoft Intune > Apps > Windows > Add.
- When you click add, it will prompt you to select an app type. Choose Line-of-business app. Click select.
- On the next page it will ask you to select an app package file. It wants you to select the MSI file.
- The next page will prompt you to fill in information for the new application. Make sure to fill the following fields appropriately:
- Name: Required, should be the name of the software without the developers name or the version number.
- Description: A description of the application that includes the vendor, developer, software name, and version number.
- Publisher: The developer or vendor of the software.
- App install context: This should almost always be set to Device. This option sets whether the program is installed to the local machine (Device), or the current user (User).
- Category: Select the appropriate categories that the application belongs to.
- Information URL: A URL to an information or about page on the vendors website.
- Privacy URL: A URL to the privacy policy for the vendor.
- The next page will prompt you to choose who has the ability to install the software or if its required. Add groups and users according to the level of access you want to grant them.
- Review your settings and confirm that all looks correct. Then click the Create button to publish the software to Intune’s Company Portal.
- Open the company portal on your computer and confirm that you are able to install the software via the portal.
Test Deployment Locally
For testing deployment locally through there are a couple tricks you can use to install software very quickly. Normally, it takes up to 24 hours to have software pushed to a computer. Most often it takes like 30 minutes to an hour.
Go to admin.microsoft.com and head to the Microsoft Intune (formerly Endpoint Manager). Go to
Devicesand find a section calledOrganize Devicesand findFilters. If there is not an IT Testing filter, create one specific for you.Create a filter for
Managed Devicesthat follows this logic.deviceName equals (YOUR DEVICE AS SHOWN IN INTUNE).Head back to the app you created for deployment. Edit the properites, specifically the assignments. Make the app available for all enrolled devices and add the filter you just created to the app and save changes.
Then on your computer open the
Company Portalapp and sync your computer via the settings. This allows you to nearly instantly start the app deployment to your computer. Just make sure to change the deployment properties back after you test.
Silent Install Cheatsheet
Below is a table of software and its corresponding silent install/uninstall commands for deployment via Intune.
| Program | Install Command | Uninstall Command | Detection Rule |
|---|---|---|---|
| Bitwarden | Bitwarden-Installer-2024.4.3.exe /allusers /S | “C:FilesBitwarden.exe” /allusers /S | HKEY_LOCAL_MACHINE\173a9bac-6f0d-50c4-8202-4744c69d091a= Value Exists |
| NI Package Manager | NIPackageManager24.3.0.exe –quiet –accept-eulas –prevent-reboot | “C:FilesInstrumentsPackage Manager.exe” remove ni-package-manager –force-locked –force-essential –quiet | |
| NI System Configuration | C:FilesInstrumentsPackage Manager.exe install ni-system-configuration | C:FilesInstrumentsPackage Manager.exe remove ni-system-configuration | C:FilesInstrumentsPackage Manager.exe = File or folder exists |
| Python 3.8 | python-3.8.10-amd64.exe /quiet InstallAllUsers=1 PrependPath=1 Include_test=0 CompileAll=1 | python-3.8.10-amd64.exe /quiet /uninstall | HKEY_LOCAL_MACHINE{A0FBEF5B-B925-4F86-9B50-A7315736C481}== 3.8.10150.0 |
| Python 3.12 | python-3.12.3-amd64.exe /quiet InstallAllUsers=1 PrependPath=1 Include_test=0 CompileAll=1 | python-3.12.3-amd64.exe /quiet /uninstall | HKEY_LOCAL_MACHINE{474E5879-A9D5-4DF5-9385-ADF7E224CEC7}== 3.12.3150.0 |
| VS Code | VSCodeSetup-x64-1.89.0.exe /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /MERGETASKS=!runcode | “C:FilesVS Code000.exe” /VERYSILENT /NORESTART /SUPPRESSMSGBOXES | HKEY_LOCAL_MACHINE{EA457B21-F73E-494C-ACAB-524FDE069978}_is1= value exists |
| Adobe Acrobat Reader | AcroRdrDC2400520414_en_US.exe /qn /i /sALL | msiexec /x {AC76BA86-7AD7-1033-7B44-AC0F074E4100} /qn /norestart | |
| wkhtmltopdf | wkhtmltox-0.12.6-1.msvc2015-win64.exe /S | “C:Files.exe” /S | HKEY_LOCAL_MACHINE== 0.12.6-1 |
| Pritunl | Pritunl.exe /VERYSILENT /SP- /NORESTART | Pritunl000.exe /VERYSILENT /NORESTART | |
| SQL Server Management Studio | SSMS-Setup-ENU.exe /install /quiet | SSMS-Setup-ENU.exe /uninstall /quiet | File C:Files (x86)SQL Server Management Studio 20 |
| Screensaver | %SystemRoot%.0.exe -executionpolicy bypass -command ..ps1 | %SystemRoot%.0.exe -executionpolicy bypass -command ..ps1 | check.ps1 |
| Logitech G Hub | lghub_installer.exe –silent | lghub_installer.exe –uninstall –silent | “C:Files” |
| GLPI Agent | msiexec /i “GLPI-Agent-1.12-x64.msi” /qn SERVER=https://inventory.xenter.io | msiexec /x “{45D3C1CE-6BFC-1014-99FD-ECF905C12127}” /qn | MSI {45D3C1CE-6BFC-1014-99FD-ECF905C12127} |